Home Network Security Tips for Cybersecurity Awareness Month 2021
October is the Cybersecurity and Infrastructure Agency's (CISA) Cybersecurity Awareness Month, and we pieced together the best advice for locking down home network security to celebrate. Home networks are common targets for obtaining personally identifiable information and performing malicious activity. IoT devices have been especially singled out as they jumped from 19% to 33% of infected devices since 2019. Most of these tips take less than five minutes to implement, so you can easily harden your home network security during a coffee break.
Change default network name and password
Continuing to use the default password with a router is the equivalent of extending a personal invitation to hackers. Once an attacker determines the router's model, they can be on your network with elevated privileges within minutes since many default passwords for routers are publicly available online. When creating your password, keep in mind that even rudimentary brute-force hacking techniques can hack an insufficient password in one day. Strengthen your password by using:
- 12 characters or more
- Mixed upper- and lowercasing
- Special symbols (such as @, #, !, $, etc.)
Adopting a unique network name—known as a Service Set Identifier (SSID)—also fortifies security. Because the network name is also part of the encryption algorithm, hackers build tools called rainbow tables to crack passwords based on the most common network names. It also deters threat actors by hiding the router model and communicating the understanding of best practices. Here's a list of 50 WiFi names for some inspiration.
Use the latest WiFi encryption
Choosing the latest WiFi Protected Access with Pre-shared Key (WPA-PSK) standard is one of the easiest methods to keep attackers at bay. This standard encrypts network traffic that can only be decrypted using the pre-shared key (the network password). Currently, there are two acceptable choices: WPA2 and WPA3. Any standard older than WPA2 implements insufficient security measures.
WPA2 utilizes Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) with the Advanced Encryption Standard (AES) block cipher, which divides network traffic into 128-bit blocks and encrypts the data with deterministic algorithms. The standard is impressively secure with even certain sectors of the United States government relying on AES for protection. Even though attacks have evolved against WPA2, such as Key Reinstallation Attacks (KRACK attacks), they've been criticized for their impracticality. However, the industry will eventually lead us to adopt WPA3.
While all modern routers have WPA2 capabilities, only some routers are currently capable of using WPA3. It takes security a step further using Simultaneous Authentication of Equals (SAE) instead of Pre-Shared Key configurations. This offers better protection for weak passwords and also prevents threat actors from obtaining information like session keys even if they crack the code. WPA3 also features protected management frames by default, which protect against network eavesdropping as well as disconnect and honeypot attacks. While some WPA2-capable devices may support this, it’s not often enabled by default.
Both WPA2 and WPA3 are sufficient security measures, but opt for the latest one available in your router.
Isolate IoT devices on a guest network
IoT devices such as voice assistants, smart speakers, and smart doorbells are incredibly convenient, but every device added to a home network expands its threatscape further. Sure, hacking a smart toaster may not seem like a big deal until you realize that attackers can use it obtain access to your phone and steal your personal data.
This is called lateral movement and it's exactly why the FBI recommends separating IoT devices from primary devices. Once an attacker moves to a primary device, they can leverage known vulnerabilities to install malware, exfiltrate information, or even remotely control a device.
How to enable a guest network depends on your router. For example, Minim users can enable device isolation in the mobile app, but many routers will require the following steps:
- Use a web browser to navigate to your router's IP address, 192.168.1.1 by default
- Login using your username and password, commonly printed on the router
- Navigate to Guest Network (or VLAN) Settings to enable a guest network
On top of using a guest network for segmentation, the FBI also recommends declining any file permission requests from IoT applications that appear unintuitive or unnecessary.
Update router firmware and device software
Preferably, this includes both device software and router firmware. Router firmware updates are mainly published for security purposes, but they can also have performance and reliability enhancing features as well. It's often automatically updated by internet service providers for home users who have a managed WiFi solution like Minim, but some users may have to update their firmware manually. If your router doesn't include a managed WiFi solution, use the following steps as a guideline:
- Visit your router manufacturer's website and search for your router model
- Download your router model's latest firmware and store the firmware file on your PC
- Use a web browser to navigate to your router's IP address, 192.168.1.1 by default
- Login using your username and password, commonly printed on the router
- Navigate to Firmware Settings to upload the firmware file and confirm the update
Note that depending on the router, setting names may vary (e.g. "Firmware Settings," "Software Settings," "Software Update," etc.).
Keeping device software up to date is much easier. Most mobile and desktop operating systems will have an option to check for updates within the general or security settings. It's important to update as soon as possible, as each day spent on an outdated version is another day vulnerable to known exploits. For example, vulnerabilities in iOS allowed malicious actors to obtain contacts, full name, Apple ID email, Apple ID authentication token, and other user information for months until the exploit was patched in version 15.0.2. Since this also applies to applications, enabling automatic updates from The App Store, Google Play Store, or other software vendors is recommended.
Disable Universal Plug and Play (UPnP)
Universal Plug and Play (UPnP) as a protocol was created to more easily set up devices with automatic discovery and facilitate device interaction across a home network. Up to 76% of routers may have this setting enabled and devices like smart TVs, voice assistants, thermostats, and game consoles also utilize UPnP by default for its convenience. But it's been known to open networks to threats like:
- The QBot attack that stole banking credentials using key loggers
- The CallStranger exploit, which infected devices to coordinate Distributed Denial of Service (DDoS) attacks
- The UPnProxy exploit, which allowed threat actors to configure port forwarding rules to traffic malicious activity
In addition to controlling the opening of ports between devices, UPnP automates the discovery and connection of devices. This creates connections that attackers can exploit to obtain remote access to lateral devices, install malware, or even steal information.
Disabling UPnP only creates a slightly higher setup burden for certain devices, but networks with a satisfiable number of devices configured won't experience this setup burden. Once users are comfortable with their network setup, it's recommended to disable UPnP in your router's settings.
More home network security tips to celebrate Cybersecurity Awareness Month year-round
Minim practices cybersecurity awareness 365 days a year with consistent updates on subjects like internet service, smart home & IoT, network security, and WiFi education. Be sure to check out the following blogs to learn more about fortifying networks and enhancing WiFi performance: